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Abstract 

We present and analyze two algorithms for computing the Hilbert class polynomial Hd- 
The first is a p-adic lifting algorithm for inert primes p in the order of discriminant D < 0. 
The second is an improved Chinese remainder algorithm which uses the class group action on 
CM-curves over finite fields. Our run time analysis gives tighter bounds for the complexity 
of all known algorithms for computing Hd, and we show that all methods have comparable 
run times. 

1 Introduction 

For an imaginary quadratic order O — Oo of discriminant D < 0, the j-invariant of the complex 
elliptic curve C/O is an algebraic integer. Its minimal polynomial Ho <E Z[A] is called the Hilbert 
class polynomial. It defines the ring class field Kq corresponding to 0, and within the context 
of explicit class field theory, it is natural to ask for an algorithm to explicitly compute Ho . 

Algorithms to compute Ho are also interesting for elliptic curve primality proving |2J and for 
cryptographic purposes [6]; for instance, pairing-based cryptosystems using ordinary curves rely 
on complex multiplication techniques to generate the curves. The classical approach to compute 
Ho is to approximate the values j(r a ) £ C of the complex analytic j-function at points r a in the 
upper half plane corresponding to the ideal classes a for the order O. The polynomial Hd may 
be recovered by rounding the coefficients of Ilaeci(o) (-^ ~ j( T a)) e C[A"] to the nearest integer. 
It is shown in [3] that an optimized version of that algorithm has a complexity that is essentially 
linear in the output size. 

Alternatively one can compute Ho using a p-adic lifting algorithm Here, the prime p 

splits completely in Kq and is therefore relatively large: it satisfies the lower bound p > |Z?|/4. In 
this paper we give a p-adic algorithm for inert primes p. Such primes are typically much smaller 
than totally split primes, and under GRH there exists an inert prime of size only 0((log |-D|) 2 )- 
The complex multiplication theory underlying all methods is more intricate for inert primes p, 
as the roots of Ho € F p 2[AT] are now j-invariants of supersingular elliptic curves. In Section [5] 
we explain how to define the canonical lift of a supersingular elliptic curve, and in Section H we 
describe a method to explicitly compute this lift. 

In another direction, it was suggested in pQ to compute Ho modulo several totally split 
primes p and then combine the information modulo p using the Chinese remainder theorem to 
compute Ho € Z[AT]. The first version of this algorithm was quite impractical, and in Section [3] 
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we improve this 'multi-prime approach' in two different ways. We show how to incorporate 
inert primes, and we improve the original approach for totally split primes using the class group 
action on CM-curves. We analyze the run time of the new algorithm in Section in terms of 
the logarithmic height of Hr> , its degree, the largest prime needed to generate the class group of 
O and the discriminant D. Our tight bounds on the first two quantities from Lemmata [T] and 
[U apply to all methods to compute Hp- For the multi-prime approach, we derive the following 
result. 

Theorem 1 The algorithm presented in Section [3| computes, for a discriminant D < 0, the 
Hilbert class polynomial Hr> ■ If GRH holds true, the algorithm has an expected run time 

O (\D\{\og\D\f+°^) . 
Under heuristic assumptions, the complexity becomes 

O (\D\(log\D\) 3 +°Wy 
We conclude by giving examples of the presented algorithms in Sectional 

2 Complex multiplication in characteristic p 

Throughout this section, D < —4 is any discriminant, and we write O for the imaginary quadratic 
order of discriminant D. Let E / Kq be an elliptic curve with endomorphism ring isomorphic to 
O. As O has rank 2 as a Z-algebra, there are two isomorphisms ip : End(E) O. We always 
assume we have chosen the normalized isomorphism, i.e., for all y £ O we have tp(y)*Lu = ycu 
for all invariant differentials u>. For ease of notation, we write E for such a 'normalized elliptic 
curve,' the isomorphism tp being understood. 

For a field F, let Ell£>(F) be the set of isomorphism classes of elliptic curves over F with 
endomorphism ring O. The ideal group of O acts on Ello (ifo) via 

j(E)~j(E) a = j(E/E[a}), 

where E[a] is the group of a-torsion points, i.e., the points that are annihilated by all a £ a C 
O = End(.E). As principal ideals act trivially, this action factors through the class group Cl(O). 
The Cl(C)-action is transitive and free, and E]1d(Ko) is a principal homogeneous Cl(C)-space. 

Let p be a prime that splits completely in the ring class field Kq- We can embed Kq in 
the p-adic field Q p , and the reduction map Z p — * F p induces a bijection E11d(Q p ) — ► EUd(F p ). 
The Cl(C)-action respects reduction modulo p, and the set E11d(F p ) is a Cl(C)-torsor, just 
like in characteristic zero. This observation is of key importance for the improved 'multi-prime' 
approach explained in Section [3] 

We now consider a prime p that is inert in O, fixed for the remainder of this section. As the 
principal prime (p) C O splits completely in K q , all primes of Kq lying over p have residue class 
degree 2. We view Kq as a subfield of the unramified degree 2 extension L of Q p . It is a classical 
result, see [5] or [21 Th. 13.12], that for [E] £ E11d(L), the reduction E p is super singular . It 
can be defined over the finite field F p 2 , and its endomorphism ring is a maximal order in the 
unique quaternion algebra -4 p ,oo which is ramified at p and oo. The reduction map — ► F p 2 
also induces an embedding f : O End(£" p ). This embedding is not surjective, as it is in the 
totally split case, since End(£" p ) has rank 4 as a Z-algebra, and O has rank 2. 

We let Embfl(F p 2) be the set of isomorphism classes of pairs (E p , f) with E p /F p 2 a su- 
persingular elliptic curve and / : O > End(£" p ) an embedding. Here, (E p , f) and (E'f) are 



2 



isomorphic if there exists an isomorphism h : E p E' p of elliptic curves with hr 1 f'(a)h = f(a) 
for all a G O. As an analogue of picking the normalized isomorphism O — > End(E) in charac- 
teristic zero, we now identify (E p , f) and (E' p , /') if / equals the complex conjugate of /'. 

Theorem 2 Let D < —4 be a discriminant. If p is inert in O — Od, the reduction map 
it : E11d(L) — * Emb£)(F p 2) is a bijection. Here, L is the unramified extension o/Q p of degree 2. 

Proof. By the Deuring lifting theorem, see [5] or P31 Th. 13.14], we can lift an element of 
Emb£>(F p 2) to an element of E11d(L). Hence, the map is surjective. 

Suppose that we have ir(E) = tt(E'). As E and E' both have endomorphism ring O, they 
are isogenous. We let (p a : E — > E a = E' be an isogeny. Writing O = Z[r], we get 

/' = /° : t » TpJ(r)^ a ® (deg^J- 1 G End(E p ) ® Q. 

The map Tp a commutes with fir) and is thus contained in S = /(End(E)) ® Q. 

Write C = STl End(E p ), and let m be the index [£>' : /(End(E))]. For any S G £>', there 
exists 7 G End(E) with mS — f(j). As f(pf) annihilates the m-torsion E p [m], 7 annihilates 
E[m], thus it is a multiple of m inside End(E). We derive that 8 is contained in / (End(E)), and 
O' = /(End(E)). Hence, <^ a is an endomorphism of E, and E and £° are isomorphic. □ 

The canonical lift E of a pair (E p ,f) G Embfl(F p 2) is defined as the inverse 7r _1 (E'p, /) G E11d(L). 
This generalizes the notion of a canonical lift for ordinary elliptic curves, and the main step of the 
p-adic algorithm described in Section E] is to compute E: its j-invariant is a zero of the Hilbcrt 
class polynomial Hjj G £[A]. 

The reduction map E11d(E) — ► Embfl(F p 2) induces a transitive and free action of the class 
group on the set Embjj(F p 2). For an O-ideal a, let <p a : E — > E a be the isogeny of CM-curves 
with kernel E[a]. Writing O — Z[t], let (3 G End(E) be the image of r under the normalized 
isomorphism O — > End(E). The normalized isomorphism for E a is now given by 

T 1 ► VaPWa ® (deg^a)" 1 - 

We have E° = (E") p and f a is the composition O End(E a ) ^ End(E°). Note that principal 
ideals indeed act trivially: tp a is an endomorphism in this case and, as End(E) is commutative, 
we have / = f a . 

To explicitly compute this action, we fix one supersingular curve E p /F p 2 and an isomorphism 
is : A p ,qc — ► End(Ep) ® Q and view the embedding / as an injective map / : O > A p ,oo- Let 
R = i £; 1 (End(E p )) be the maximal order of A Pt00 corresponding to E p . For a an ideal of O, we 
compute the curve E p = 7p a (E p ) and choose an auxiliary isogeny ip(, : E p — > E p . This induces 
an isomorphism g^ : A p .oo — * End(E p ) ® Q given by 

a 1 ^ <^b«£ p (a)^b ® (deg^t,) -1 . 

The left i?-ideals Rf(a) and b are left-isomorphic by [HI Th. 3.11] and thus we can find x G A p .oo 
with Rf(a) = bx. As y = f(r) is an element of Rf(a), we get the embedding r h— >• xyx" 1 into 
the right order i?f, of b. By construction, the induced embedding f a :0^ End(E p ) is precisely 

f a (r) = g^xyx- 1 ) &End(E«), 

and this is independent of the choice of b. For example, if E p — E p , then choosing iff, as the 
identity, we find x with Rf(a) = Rx to get the embedding f a :r^ iEpixyx^ 1 ) G End(E p ). 
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3 The multi-prime approach 



This section is devoted to a precise description of the new algorithm for computing the Hilbcrt 
class polynomial Ho £ Z[X] via the Chinese remainder theorem. 

Algorithm 1 

Input: an imaginary quadratic discriminant D 
Output: the Hubert class polynomial H D £ Z[X] 

0. Let {Ai 1 Bi 1 Cif^zp be the set of primitive reduced binary quadratic forms of discriminant 
B 2 — AAid = D representing the class group Cl(O). Compute 



which by [S] is an upper bound on the number of bits in the largest coefficient of Ho- 

1. Choose a set V of primes p such that TV = ripepP — 2™ and each p is either inert in O or 
totally split in Kq- 

2. For all p £ V, depending on whether p is split or inert in 0, compute Ho modp using 
either Algorithm [2] or [3l 

3. Compute Ho mod N by the Chinese remainder theorem, and return its representative in 
Z[A] with coefficients in (— y, y). 

The choice of V in Step 1 leaves some room for different flavors of the algorithm. Since Step 2 
is exponential in logp, the primes should be chosen as small as possible. The simplest case is to 
only use split primes, to be analyzed in Section O As the run time of Step 2 is worse for inert 
primes than for split primes, we view the use of inert primes as a practical improvement. 

3.1 Split primes 

A prime p splits completely in Kq if and only if the equation 4p = u 2 — v 2 D has a solution in 
integers u, v. For any prime p, we can efficiently test if such a solution exists using an algorithm 
due to Cornacchia. In practice, we generate primes satisfying this relation by varying u and v 
and testing if (it 2 — v 2 D)/A is prime. 

Algorithm 2 

Input: an imaginary quadratic discriminant D and a prime p that splits completely in Kq 
Output: H d mod p 

1. Find a curve E over F p with endomorphism ring O. Set j = j(E). 

2. Compute the Galois conjugates j a for a £ Cl(O). 

3. Return H D mod p = Y\ aeCl{0) (X - j a ). 

Note: The main difference between this algorithm and the one proposed in p] is that the latter 
determines all curves with endomorphism ring O via exhaustive search, while we search for one 
and obtain the others via the action of Cl(O) on the set EUd(F p ). 
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Step 1 can be implemented by picking j-invariants at random until one with the desired 
endomorphism ring is found. With 4p = u 2 — v 2 D, a necessary condition is that the curve E or 
its quadratic twist E' has p + 1 — u points. In the case that D is fundamental and v = 1, this 
condition is also sufficient. To test if one of our curves E has the right cardinality, we pick a 
random point P E E(F p ) and check if (p + 1 — u)P = or (p + 1 + u)P = holds. If neither of 
them does, E does not have endomorphism ring O. HE survives this test, we select a few random 
points on both E and E' and compute the orders of these points assuming they divide p+ l±u. 
If the curve E indeed has p + 1 ± u points, we quickly find points P E E(F p ), P' E E'(F p ) of 
maximal order, since we have E(F p ) = Z/niZ x Z/tt^Z with n\ \ ni and a fraction tpin^jni of 
the points have maximal order. For P and P' of maximal order and p > 457, either the order of 
P or the order of P' is at least 4y / p, by ,18., Theorem 3.1], due to J.-F. Mestre. As the Hasse 
interval has length 4y / p, this then proves that E has p + 1 ± u points. 

Let A = be the fundamental discriminant associated to D. For / ^ 1 or i; ^ 1 (which 
happens necessarily for D = 1 mod 8), the curves with p + 1 ± u points admit any order O g 2 A 
such that g\fv as their endomorphism rings. In this case, one possible strategy is to use Kohel's 
algorithm described in |12[ Th. 24] to compute g, until a curve with g = f is found. This variant 
is easiest to analyze and enough to prove Theorem [TJ 

In practice, one would rather keep a curve that satisifes f\g, since by the class number formula 
g = vf with overwhelming probability. As v and thus — is small, it is then possible to use another 
algorithm due to Kohel and analyzed in detail by Fouquet-Morain [T^l [H] to quickly apply an 
isogeny of degree ^ leading to a curve with endomorphism ring O. 

Concerning Step 2, let Cl(O) = Q)(k) be a decomposition of the class group into a direct 
product of cyclic groups generated by invertible degree 1 prime ideals li of order hi and norm £i 
not dividing pv. The j a may then be obtained successively by computing the Galois action of 
the [j on j-invariants of curves with endomorphism ring O over F p , otherwise said, by computing 

* rhl— 1 

£i-isogenous curves: hi — 1 successive applications of ti yield j 1 , . . . , j 1 ; to each of them, [2 
is applied hi — 1 times, and so forth. 

To explicitly compute the action of [ — we let $^(A, Y) E Z[A] be the classical modular 
polynomial. It is a model for the modular curve Yq(£) parametrizing elliptic curves together with 
an ^-isogeny, and it satisfies $^(j(z), j(£z)) = for the modular function j(z). If jo E F p is the 
j-invariant of some curve with endomorphism ring O, then all the roots in F p of <&i(X, jo) are 
j-invariants of curves with endomorphism ring O by [121 Prop. 23]. If [ is unramified, there are 
two roots, j'q and j'q . For ramified [, we find only one root j'q = j . So Step 2 is reduced to 
determining roots of univariate polynomials over F p . 

3.2 Inert primes 
Algorithm 3 

Input: an imaginary quadratic discriminant D and a prime p that is inert in O 
Output: H d mod p 

1. Compute the list of supersingular j-invariants over F p 2 together with their endomorphism 
rings inside the quaternion algebra A PtOQ . 

2. Compute an optimal embedding / : O A p 00 and let R be a maximal order that contains 

f(o). 

3. Select a curve EjF p i in the list with End(E) = R, and let j be its j-invariant. 

4. Compute the Galois conjugates j a for a E Cl(O). 
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5. Return H D mod p = Y\ a eci(o)( X ~ 3*)- 



As the number of supersingular j-invariants grows roughly like (p — 1)/12, this algorithm is only 
feasible for small primes. For the explicit computation, we use an algorithm due to Cervino [3] 
to compile our list. The list gives a bijection between the set of Gal(F p 2 /F p )-conjugacy classes 
of supersingular j-invariants and the set of maximal orders in -A Pj00 . 

In Step 2 we compute an element y E -4 p ,oo satisfying the same minimal polynomial as a 
generator t of C For non- fundamental discriminants we need to ensure that the embedding 
is optimal, i.e., does not extend to an embedding of the maximal overorder of O into A Piao . 
Using standard algorithms for quaternion algebras, Step 2 poses no practical problems. To 
compute the action of an ideal a in Step 4, we note that the right order R' of the left i?-ideal 
Rf(a) is isomorphic to the endomorphism ring End(-E') of a curve E' with j(E') = j a by [2^, 
Prop. 3.9]. The order R' is isomorphic to a unique order in the list, and we get a conjugacy class 
of supersingular j-invariants. Since roots of Ho mod p which are not in F p come in conjugate 
pairs, this allows us to compute all the Galois conjugates j a . 

4 Computing the canonical lift of a supersingular curve 

In this section we explain how to compute the Hilbert class polynomial Hd of a discriminant 
D < —4 using a p-adic lifting technique for an inert prime p = 1 mod 12. Our approach is based 
on the outline described in [7J. The condition p = 1 mod 12 ensures that the j-values 0, 1728 E F p 
are not roots of Hd G F p [X] . The case where one of these two values is a root of Hd E F p [X] 
is more technical due to the extra automorphisms of the curve, and will be explained in detail 
in the first author's PhD thesis. 

Under GRH, we can take p to be small. Indeed, our condition amounts to prescribing a 
Frobenius symbol in the degree 8 extension Q(£i2, V A D)/Q, and by effective Chebotarev [T5] we 
may take p to be of size 0((log |-D|) 2 ). 

The first step of the algorithm is the same as for Algorithm [3] in Section 02 we compute a 
pair (j(Ep), fo) E Emb£>(F p 2). The main step of the algorithm is to compute to sufficient p-adic 
precision the canonical lift E p of this pair, defined in Section [5] as the inverse under the bijection 
7r of Theorem 2. 

For an arbitrary element r\ E Embu (F p 2 ) , let 

X D ( V ) = {(j(E), f) | j(E) E C p , (j(E) modp, /) = V } 

be a 'disc' of pairs lying over r\. Here, C p is the completion of an algebraic closure of Q p . The 
disc Xd(ji) contains the points of E11d(L) that reduce modulo p to the j-invariant corresponding 
to r\. 

These discs are similar to the discs used for the split case in [7J [5] ■ The main difference is 
that now we need to keep track of the embedding as well. We can adapt the key idea of [7J to 
construct a p-adic analytic map from the set of discs to itself that has the CM-points as fixed 
points in the following way. Let a be an O-ideal of norm TV that is coprime to p. We define a 
map 

p a ;\JX D (r))^\JX D (ri) 

n n 

as follows. For (j(E),f) E X D (rj), the ideal /(a) C End(E p ) defines a subgroup E p [f(a)] C E P [N] 
which lifts canonically to a subgroup E[a] C E[N]. We define p a ((j(E)J)) = [j(E/E[a]), /"), 
where f a is as in Section £3 If the map / is clear, we also denote by p a the induced map on the 
j-invariants. 
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For principal ideals a = (a), the map p a — p a stabilizes every disc. Furthermore, as E p [(a)} 
determines an cndomorphism of E p , the map p a fixes the canonical lift j{E p ). As j(E p ) does 
not equal 0, 1728 <E F p , the map p a is p-adic analytic by j3[ Theorem 4.2]. 

Writing a = a + br, the derivative of p a in a CM-point j{E) equals a/a € Zl by [3, 
Lemma 4.3]. For p \ a,b this is a p-adic unit and we can use a modified version of Newton's 
method to converge to j(E) starting from a random lift (ji,/o) £ Xnijj) of the chosen point 
T) = (j(E p ), /o) € F p 2. Indeed, the sequence 

Pa((jk,fo)) - 3k 

3k+i=3k 1=. — : (2) 

a/a — 1 

converges quadratically to j(E). The run time of the resulting algorithm to compute j(E) € L 
up to the necessary precision depends heavily on the choice of a. We find a suitable a by sieving 
in the set {a + br \ a,b £ Z, gcd(a, b) = 1, a, b ^ mod p}. We refer to the example in Section 
6.3 for the explicit computation of the map p a . 

Once the canonical lift has been computed, the computation of the Galois conjugates is 
easier. To compute the Galois conjugate j(E P Y of an ideal I of prime norm £ ^ p, we first 
compute the value j{E p ) [ S F p 2 as in Algorithm [3] in Section [31 We then compute all roots of 
the €-th modular polynomial &e(j(E p ), X) S L[X] that reduce to j(E p ) 1 . If there is only one 
such root, we are done: this is the Galois conjugate we are after. In general, if to > 1 is the 
p-adic precision required to distinguish the roots, we compute the value pi((j(E p ), /o)) to m + 1 
p-adic digits precision to decide which root of the modular polynomial is the Galois conjugate. 
After computing all conjugates, we expand the product Ilaeci(O) 

e Z L [X] and 

recognize the coefficients as integers. 



5 Complexity analysis 

This section is devoted to the run time analysis of Algorithm [T] and the proof of Theorem [TJ To 
allow for an easier comparison with other methods to compute Ho, the analysis is carried out 
with respect to all relevant variables: the discriminant D, the class number h(D), the logarithmic 
height n of the class polynomial and the largest prime generator £(D) of the class group, before 
deriving a coarser bound depending only on D. 



5.1 Some number theoretic bounds 

For the sake of brevity, we write Hog for log log and Ulog for log log log. 

The bound given in Algorithm [T] on n, the bit size of the largest coefficient of the class 
polynomial, depends essentially on two quantities: the class number h{D) of O and the sum 
S [a b c] \> taken over a system of primitive reduced quadratic forms representing the class 
group Cl(O). 

Lemma 1 We have h{D) = 0(\D\^ 2 log \D\). Under GRH, we have h(D) = O^ 1 / 2 Hog \D\). 

Proof. By the analytic class number formula, we have to bound the value of the Dirichlct 
L-series L(s,xd) associated to D at s — 1. The unconditional bound follows directly from |19j . 
the conditional bound follows from [T5]. □ 

Lemma 2 We have J2[a b c] a~ = 0((log |-D|) 2 ). If GRH holds true, we have J2[a b c] ~a~ = 
O(loo /) Hog /; ;. 
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Proof. The bound ^[ab c}a~ ~ 0((\og \ D\) 2 ) is proved in [T7] with precise constants in [jj]; 
the argument below will give a different proof of this fact. 

By counting the solutions of B 2 = D mod AA for varying A and using the Chinese remainder 
theorem, we obtain 



n PlA (i + (f ) 

A 



[A,B,C] A<J\D 



The Euler product expansion bounds this by Ilp< y/j]5j ^ p) ^p^J ' ^ Mertens theo- 

rem, this is at most clog ID ITT , r-=rr — — for some constant c > 0. This last product is 

essentially the value of the Dirichlet L-series L(1,xd) and the same remarks as in Lemma Q] 
apply. □ 

Lemma 3 If GRH holds true, the primes needed for Algorithm^ are bounded by 
0(h(D)max(h(D)(log\D\) i ,n)). 

Proof. Let k(D) be the required number of splitting primes. We have k(D) € O ^i^rpjj), 
since each prime has at least log 2 \D\ bits. 

Let ni(x,Ko/Q) be the number of primes up to x € R>o that split completely in Kq/Q. 
By [T31 Th. 1.1] there is an effectively computable constant c 6 R>o, independent of D, such 
that 

Life) 
2h[D) 

where we have used the bound disc(i^o/Q) < |Z)| ?1 ( D ) proven in [31 Lemma 3.1]. It suffices to 
find anse R>o for which k(D) — \A(x) / '(2h(D)) is larger than the right hand side of ©. Using 
the estimate Li(x) ~ x/\ogx, we see that the choice x = O (max(/i(D) 2 log 4 \D\, h(D)nj) works. 

□ 



<c( ^Mfflg^ + los(|prl)) , (3) 



5.2 Complexity of Algorithm [2] 

Let us fix some notation and briefly recall the complexities of the asymptotically fastest algo- 
rithms for basic arithmetic. Let M(logp) <G O(logpllogplllogp) be the time for a multiplication 
in F p and Mx(£,logp) € 0(£\og£ M(logp)) the time for multiplying two polynomials over F p 
of degree I. 

As the final complexity will be exponential in logp, we need not worry about the detailed 
complexity of polynomial or subexponential steps. Writing 4p = u 2 — v 2 D takes polynomial time 
by the Cornacchia and Tonelli-Shanks algorithms [5J Sec 1.5]. By Lemma 02 we may assume 
that v is polynomial in log \ D\. 

Concerning Step 2, we expect to check 0(p/h(D)) curves until finding one with endomorphism 
ring O. To test if a curve has the desired cardinality, we need to compute the orders of O(llogp) 
points, and each order computation takes time O ((logp) 2 M(logp)) . Among the curves with 

the right cardinality, a fraction of jj^rjyj, where H(v 2 D) is the Kronecker class number, has the 
desired endomorphism ring. So we expect to apply Kohel's algorithm with run time O(p 1 ^ 3+0 ^) 
an expected H f^^ € O(ullogu) times. As p 1 / 3 is dominated by p/h(D) of order about p 1 ^ 2 , 
Step 2 takes time altogether 

(tT^( 1 °Sp) 2 MQogp) Wogp) . (4) 



8 



Heuristically, we only check if some random points are annihilated by p + 1 ± u and do not 
compute their actual orders. The (logp) 2 in JU then becomes logp. 

In Step 3, the decomposition of the class group into a product of cyclic groups takes subex- 
ponential time. Furthermore, since all involved primes £i are of size O((kog |D|) 2 ) under GRH, 
the time needed to compute the modular polynomials is negligible. Step 3 is thus dominated by 
0(h(D)) evaluations of reduced modular polynomials and by the computation of their roots. 

Once <&i mod p is computed, it can be evaluated in time 0(i? 2 M(logp)). Finding its roots is 
dominated by the computation of X p modulo the specialized polynomial of degree I + 1, which 
takes time 0(logpMx(^,logp)). Letting £(D) denote the largest prime needed to generate the 
class group, Step 3 takes time 

O (h(D)£(D) M(logp)(£(D) + Hog \D\ logp)) . (5) 

Under GRH, £{D) G 0((log \D\) 2 ), and heuristically, 1(D) G O ((log |£>|) 1+e ) . 

By organizing the multiplications of polynomials in a tree of height 0(logh), Step 4 takes 
O (log h(D) Mx(h(D), log p)), which is dominated by Step 3. We conclude that the total com- 
plexity of Algorithm [2] is dominated by Steps 2 and 3 and given by the sum of ((4|) and |5]). 



5.3 Proof of Theorem Q] 

We assume that V = {pi,p2, . . .} is chosen as the set of the smallest primes p that split into 
principal ideals of O. Notice that logp, log h(D) E 0(log\D\), so that we may express all 
logarithmic quantities with respect to D. 

The dominant part of the algorithm are the 0(n/ log \D\) invocations of Algorithm[2]in Step 2. 
Specializing ([4]) and (|5]), using the bound on the largest prime of Lemma [3] and assuming that 
£(D) G fi(log|D|llog|D|), this takes time 

o(nM(log\D\) {h(D)&^ +log|i?|llog|^|max(/i(^)(log|^|) 4 ,n)^. (6) 

Finally, the fast Chinese remainder algorithm takes 0(M (log N)llogN) by 21, Th. 10.25], 
so that Step 3 can be carried out in 0(h(D) M(n) log \D\), which is also dominated by Step 2. 
Plugging the bounds of Lemmata Q] and [5] into © proves the rigorous part of Theorem [T] 

For the heuristic result, we note that Lemma [3] overestimates the size of the primes, since it 
gives a very high bound already for the first split prime. Heuristically, one would rather expect 
that all primes are of size 0(nh). Combined with the heuristic improvements to (j4|) and (|5|), we 
find the run time 

(nM(log\D\)(n + h(D)^^y □ 



5.4 Comparison 

The bounds under GRH of Lemmata [T] and [2] also yield a tighter analysis for other algorithms 
computing H D . By Th. 1], the run time of the complex analytic algorithm turns out to be 
0(|D|(log|£'|) 3 (llog|L'|) 3 ), which is essentially the same as the heuristic bound of Theorem [TJ 

The run time of the p-adic algorithm becomes 0(|£)|(log |D|) 6+ °( 1 )). A heuristic run time 
analysis of this algorithm has not been undertaken, but it seems likely that 0(|D|(log |Z?|) 3+0 ( 1 ^ ) ) 
would be reached again. 
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6 Examples and practical considerations 



6.1 Inert primes 

For very small primes there is a unique supersingular j-invariant in characteristic p. For example, 
for D = 5 mod 8, the prime p = 2 is inert in Od and we immediately have Hd mod 2 = X h ( D \ 
More work needs to be done if there is more than one supersingular j-invariant in F p 2 , as 
illustrated by computing H-n mod 53. The ideal o = (2, 3 + r) generates the order 7 class group 
of O = Z[t]. The quaternion algebra A Pj00 has a basis {1, k} with i 2 = — 2, j 2 — —35, ij = k, 
and the maximal order R with basis {1, i, 1/4(2 — i — k), —1/2(1 + i + j)} is isomorphic to the 
cndomorphism ring of the curve with j-invariant 50. We compute the embedding / : r i— ► y = 
1/2 — 3/2i + l/2j G R, where y satisfies y 2 — y + 18 = 0. Calculating the right orders of the left 
i?-ideals Rf(a l ) for i = 1, . . . , 7, we get a sequence of orders corresponding to the j-invariants 
28 ± 9\/2, 46, 0, 46, 28 ± 9\/2, 50, 50 and compute ff_ 7 i mod 53 = X(X - 46) 2 (X - 50) 2 (X 2 + 
50X + 39). 

6.2 Totally split primes 

For D = —71, the smallest totally split prime is p = 107 = 12 \ 4 ' 71 ■ Any curve over F p with 
cndomorphism ring O is isomorphic to a curve with m — p+ 1 ± 12 = 96 or 120 points. By trying 
randomly chosen j-invariants, we find that E : Y 2 = X 3 + X + 35 has 96 points. We either have 
End(.E) = Od or End(_E) = O^d- In this simple case there is no need to apply Kohel's algorithm. 
Indeed, End(i?) equals Od if and only if the complete 2-torsion is F p -rational. The curve E has 
only the point P = (18, 0) as rational 2-torsion point, and therefore has endomorphism ring 
OiD- The 2-isogenous curve E' — E/(P) given by Y 2 — X 3 + 58X + 59 of j-invariant 19 has 
endomorphism ring Od- 

The smallest odd prime generating the class group is £ = 3. The third modular polynomial 
<&g(X, Y) has the two roots 46,63 when evaluated in X = j(E') = 19 € F p . Both values are 
roots of Hd mod p. We successively find the other Galois conjugates 64, 77, 30, 57 using the 
modular polynomial <i>£ and expand 

H_ n mod 107 = X 7 + 72X 6 + 93X 5 + 73X 4 + 46X 3 + 29X 2 + SOX + 19. 

6.3 Inert lifting 

We illustrate the algorithm of Section H] by computing Hd for D = —56. 

The prime p = 37 is inert in O = Od- The supersingular j-invariants in characteristic p are 
8, 3 ± 14\/— 2. We fix a curve E = E p with j-invariant 8. We take the basis j, k} with 
i 2 = — 2, j 2 = j — = k of the quaternion algebra A p .oo- This basis is also a Z-basis for a 
maximal order R C -4 Pi00 that is isomorphic to the endomorphism ring End(E p ). 

Writing Od — Z[r], we compute an element y = [0, 1, 1, —1] G R satisfying y 2 + 56 — 0. This 
determines the embedding f = fo and we need to lift the pair (E, f) to its canonical lift. As 
element a for the 'Newton map' p a , we use a generator of a 4 where a = (3, 1 + r) is a prime 
lying over 3. 

To find the kernel E[f(a)) we check which 3-torsion points P G E[3] are killed by f(l + r) G 
End(E'). We find P = 18 ±9^=2, and use Velu's formulas to find E a = E of j-invariant 8. As E 
and E a are isomorphic, it is easy to compute We compute a left-generator x — [1, 1, 0,0] G R 
of the left .R-ideal Rf(a) to find f a (r) = xy/x = [-1, 0, 1, 1] G R. 

Next, we compute the a-action on the pair {E a ,f a ) = (E, /"). We find that P = 19 ± 12^/a 
is annihilated by / a (l + r) G End(-E). The curve E a of j-invariant 3 — 14-^/— 2 is not isomorphic 
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to E. We pick a 2-isogeny ip b : E a -> £ a with kernel (19 + 23\/^2). The ideal b has basis {2, i + 
j, 2j, k} and is left-isomorphic to Rf a (a) via left-multiplication by x' = [—1, 1/2, 1/2, —1/2] G i?. 
We get f a (r) = x'y/x' = [0, 1, 1, —1] G i?t, and we use the map g\, from Section [2] to view this 
as an embedding into End(£? a ). 

The action of a 3 and o 4 is computed in the same way. We find a cycle of 3-isogenies 

(e, f) -> (E a = e, n -» (E a \ r 2 ) -» (£ a3 , r 3 ) - (£° 4 , r 4 ) = (e, /) 

where each element of the cycle corresponds uniquely to a root of Ho- We have now also 
computed H D mod p = (X - 8) 2 (X 2 - 6X - 6). 

As a lift of E 1 we choose the curve defined by Y 2 = X 3 + 21 OX + 420 over the unramificd 
extension L of degree 2 of Q p . We lift the cycle of isogenies over F p 2 to L in 2 p-adic digits 
precision using Hensel's lemma, and update according to the Newton formula © to find j(E) = 
—66 + 148\/— 2 + 0(p 2 ). Next we work with 4 p-adic digits precision, lift the cycle of isogenies 
and update the j-invariant as before. In this example, it suffices to work with 16 p-adic digits 
precision to recover Ho G Z[X]. 

Since we used a generator of an ideal generating the class group, we get the Galois conjugates 
of j(E) as a byproduct of our computation. In the end we expand the polynomial -ff-56 — 
ri a gci(0)(^ — i(E) a ) e which has coefficients with up to 23 decimal digits. 

6.4 Chinese remainder theorem 

As remarked in Section 15. 4[ the heuristic run time of Theorem \T\ is comparable to the expected 
run times of both the complex analytic and the p-adic approaches from [9] and [3 [3] . To see if 
the CRT-approach is comparable in practice as well, we computed an example with a reasonably 
sized discriminant D = —108708, the first discriminant with class number 100. 

The a posteriori height of Ho is 5874 bits, and we fix a target precision of n = 5943. The 
smallest totally split prime is 27241. If only such primes are used, the largest one is 956929 for 
a total of 324 primes. Note that these primes are indeed of size roughly \D\ 7 in agreement with 
Lemma[3] We have partially implemented the search for a suitable curve: for each 4p = u 2 — v 2 D 
we look for the first j-invariant such that for a random point P on an associated curve, (p+ 1)P 
and uP have the same X-coordinate. This allows us to treat the curve and its quadratic twist 
simultaneously. The largest occurring value of v is 5. Altogether, 487237 curves need to be 
checked for the target cardinality. 

On an Athlon-64 2.2 GHz computer, this step takes roughly 18.5 seconds. As comparison, 
the third authors' complex analytic implementation takes 0.3 seconds on the same machine. To 
speed up the multi-prime approach, we incorporated some inert primes. Out of the 168 primes 
less than 1000, there are 85 primes that are inert in O. For many of them, the computation of 
Ho mod p is trivial. Together, these primes contribute 707 bits and we only need 288 totally 
split primes, the largest one being 802597. The required 381073 curve cardinalities are tested in 
14.2 seconds. 

One needs to be careful when drawing conclusions from only few examples, but the difference 
between 14.2 and 0.3 seconds suggests that the implicit constants in the O-symbol are worse for 
the CRT-approach. 

6.5 Class invariants 

For many applications, we are mostly interested in a generating polynomial for the ring class 
field Kq- As the Hilbert class polynomial has very large coefficients, it is then better to use 



11 



'smaller functions' than the j-function to save a constant factor in the size of the polynomials. 
We refer to [TBlUnj for the theory of such class invariants. 

There are theoretical obstructions to incorporating class invariants into Algorithm[U Indeed, 
if a modular function / has the property that there are class invariants /(tj.) and /(T2) with 
different minimal polynomials, we cannot use the CRT-approach. This phenomenon occurs for 
instance for the double eta quotients described in [10]. For the discriminant D in Section WM we 
can use the double eta quotient of level 3 • 109 to improve the 0.3 seconds of the complex analytic 
approach. For CRT, we need to consider less favourable class invariants. 
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